Reporting to Covered Entity. Business Associate shall report to the affected Covered Entity without unreasonable delay: (a) any use or disclosure of PHI not provided for by the Agreement of which it becomes aware; (b) any breach of unsecured PHI in accordance with 45 C.F.R. Subpart D of 45 C.F.R. 164 ("Breach Notification Rule"); and (c) any security incident of which it becomes aware. With regard to Security Incidents caused by or occurring to Business Associate, Business Associate shall cooperate with the Covered Entity's investigation, analysis, notification and mitigation activities, and except for Security Incidents caused by Covered Entity, shall be responsible for reasonable costs incurred by the Covered Entity for those activities. Notwithstanding the foregoing, Covered Entity acknowledges and shall be deemed to have received advanced notice from Business Associate that there are routine occurrences of: (i) unsuccessful attempts to penetrate computer networks or services maintained by Business Associate; and (ii) immaterial incidents such as “pinging” or “denial of services” attacks.
Reporting to Covered Entity. Business Associate shall immediately report to Covered Entity any use or disclosure of PHI not provided for by this Addendum, including breaches of unsecured PHI in accordance with the Breach Notification Rule (45 CFR Subpart D), and any security incident of which it becomes aware. Business Associate shall cooperate with Covered Entity’s investigation, analysis, notification and mitigation activities, and shall be responsible for all costs incurred by Covered Entity for those activities.
Reporting to Covered Entity. (1) For Successful Security Incidents and any other use or disclosure of PHI that is not permitted by this Agreement, the Agreement, by applicable law, or without the prior written approval of the Covered Entity, Business Associate – without unreasonable delay and in no event later than thirty (30) days after Business Associate learns of such non-permitted use or disclosure – shall provide Covered Entity a report that will:
a. Identify (if known) each individual whose Unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been accessed, acquired, or disclosed during such Breach;
b. Identify the nature of the non-permitted access, use, or disclosure including the date of the incident and the date of discovery;
c. Identify the PHI accessed, used, or disclosed (e.g., name; social security number; date of birth);
d. Identify who made the non-permitted access, use, or received the non- permitted disclosure;
e. Identify what corrective action Business Associate took or will take to prevent further non-permitted accesses, uses, or disclosures;
f. Identify what Business Associate did or will do to mitigate any deleterious effect of the non-permitted access, use, or disclosure; and
g. Provide such other information, including a written report, as the Covered Entity may reasonably request.
(2) For Unsuccessful Security Incidents, Business Associate shall provide Covered Entity, upon its written request, a report that: (i) identifies the categories of Unsuccessful Security Incidents as described in Section 4(b)(iii)(4); (ii) indicates whether Business Associate believes its current defensive security measures are adequate to address all Unsuccessful Security Incidents, given the scope and nature of such attempts; and (iii) if the security measures are not adequate, the measures Business Associate will implement to address the security inadequacies.
Reporting to Covered Entity. The Business Associate must inform the Covered Entity by telephone call, plus email or fax, within five business days of any use or disclosure of PHI not provided for by this Agreement, including breaches of unsecured PHI in accordance with 45 CFR Subpart D of 45 CFR 164 ("Breach Notification Rule"), and any successful security incident, of which it becomes aware. Business Associate shall cooperate at all times with Covered Entity's investigation, analysis, notification and mitigation activities, and shall be responsible for reasonable costs incurred by Covered Entity for those activities to the extent allowed per Wisconsin law. Any failure or refusal by the Business Associate to cooperate at all times with the Covered Entity’s investigation, analysis, notification, or mitigation activities shall be considered a breach of this Agreement whereby the Covered Entity shall have the right to pursue any and all legal action(s) due to such breach(s) of this Agreement.
i. The Violation shall be treated as “discovered” as of the first day on which the Violation is known to the Business Associate or, by exercising reasonable diligence would have been known to the Business Associate.
ii. Notification shall be provided to one of the contact persons as listed in section 4.c.
Reporting to Covered Entity. Business Associate shall report to Covered Entity any use or disclosure of PHI not expressly permitted or required by the Agreement, this BAA or required by law, including security incidents and breaches of unsecured PHI, without undue delay and not longer than thirty (30) days, in accordance with the breach notification rule at 45 C.F.R. § 164.410. Notification shall include, to the extent possible, the identification of each individual whose PHI has been, or is reasonably believed by Business Association to have been, accessed, acquired, used, or disclosed during the breach, and any other information that is readily available to Business Associate, which Covered Entity requires to include in the notification to the individual under 45 C.F.R. 164.404(c). If not all of the information is available within such thirty (30) day period, Business Associate will provide the information that is available and continue diligent investigation and provide supplemental information as soon as reasonably practical and in no event later than sixty (60) days after becoming aware of the improper use, disclosure or Security Incident. Where Business Associate is responsible for the improper use or disclosure, Business Associate shall cooperate with Covered Entity’s investigation, analysis, notification and mitigation activities, and shall be responsible for all costs, damages, fees, penalties and related mitigation efforts for those activities.
Reporting to Covered Entity. Business Associate will report to Covered Entity any security incident (except that, for purposes of this BAA, the term “security incident” does not include inconsequential incidents that occur on a frequent basis such as scans or “pings” that are not allowed past ACO’s firewall) or use or disclosure of PHI of which it becomes aware that is not permitted or required by this BAA.
Reporting to Covered Entity. Business Associate will report to the Covered Entity any security incident or use or disclosure of PHI of which it becomes aware that is not permitted or required by this Addendum.
Reporting to Covered Entity. Business Associate will report to the Covered Entity, - within ten (10) business days of discovery, any use or disclosure of Protected Health Information not provided for in this Agreement of which the Business Associate is aware. The Business Associate will report to the Covered Entity, within twenty-four (24) hours of discovery, any Security Incident of which Business Associate is aware. A violation of this paragraph shall be a material violation of this Agreement. Such notice shall include the identification of each individual whose unsecured Protected Health Information has been, or is reasonably believed by Business Associate to have been, accessed, acquired, or disclosed during such breach.
Reporting to Covered Entity a. Contractor shall report to the Covered Entity any use or disclosure of PHI of which it becomes aware that is not permitted by this Agreement as required by 45 C.F.R. §164.504(e)(2)(ii)(C).
b. Contractor shall report to Covered Entity breaches of unsecured PHI as required by 45 C.F.R. §164.410 and §164.504(e)(2)(ii)(C).
Reporting to Covered Entity. Business Associate shall promptly report to Covered Entity: (a) any use or disclosure by Business Associate of PHI not provided for by this BAA of which it becomes aware; (b) any breach of unsecured PHI by Business Associate in accordance with 45 CFR Subpart D of 45 CFR 164 ("Breach Notification Rule"); and (c) any security incident suffered by Business Associate of which it becomes aware.
